Searchguard without tls

Continuing the discussion from Query on searchguard without tls:

Hi @jkressin,
I am using ELK with searchguard in kubernetes environment. I want to use Istio (mtls) that takes care of pod-to-pod TLS communication.
So i want to know if there is a way to disable TLS within searchguard and only enable its authentication/authorization features?

You can’t disable TLS on the transport layer. You can disable it only for the REST API. The available TLS configuration options: Configuring TLS | Security for Elasticsearch | Search Guard

What is the problem? Doesn’t Istio work with TLS?

@srgbnd,
Since we are enabling mTLS on all pods (using Istio), we would want to remove the transport layer tls when SG is enabled, so that communication between all pods would be encrypted by istio’s mTLS.

Also, one more clarification:
Transport layer - would mean inter-node communication between elasticsearch nodes using port 9300.
REST API - would mean communication between any client (could be logstash, fluentd, curl etc) to elasticsearch and would use the port 9200.
Is this understanding correct?

Right, the transport layer is used for internal communication between nodes in a cluster. Transport port range defaults to TCP 9300-9400. REST API in our case is SearchGuard programming interface, for example, Access Control | Security for Elasticsearch | Search Guard. The API port defaults to 9200.

TLS doesn’t care what data you send or receive, so it can be another TLS session. TLS inside TLS. You can even reuse the same certificate.

Thanks @srgbnd. A follow up question to that: Istio rotates certificates on a regular basis. Once the certificates change, is it sufficient to just run SGadmin to update the new certificates? Or would we need to restart elasticsearch as well?

You don’t need to restart after sgadmin has been used.

@shivani.aggarwal2195 I’m sorry, I was wrong. You must restart if you want to renew a certificate. Please read this thread to find out more Let's Encrypt renewal - restart required?

Ok, thanks for the information @srgbnd Point noted :slight_smile:

I have few queries about using searchguard with istio:

  1. If searchguard has been tested with istio in your labs, can you please provide us with any specific configurations required for the setup.

  2. With istio in PERMISSIVE mode, it worked for us. I had

  • disabled tls on the rest layer in searchguard
  • providing certificates for node to node communcation (transport layer)
  • provided client certificate (-- keystore) to run SGAdmin.
  1. With istio in STRICT mode, with same settings as in point2, it does not work. It throws the below error -

/usr/share/elasticsearch/plugins/search-guard-7/tools/sgadmin.sh -cd $SG_CONFIG_DIRECTORY -ts $TRUSTSTORE_FILEPATH -ks $CLIENT_KEYSTORE_FILEPATH -cn $CLUSTER_NAME -kspass $KS_PWD -tspass $TS_PWD -h $HOSTNAME -nhnv -dg
Search Guard Admin v7
Will connect to mahe-ee-belk-elasticsearch-client-776c898cc8-f2bvb:9300 … done
10:35:40.048 [elasticsearch[client][transport_worker][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to

ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{mDp4h8d5TbCo6lws76uVGw}{mahe-ee-belk-elasticsearch-client-776c898cc8-f2bvb}{192.168.41.162:9300}]]
        at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:352)
  1. Is client certificate and trustore certificates (the arguments --keystore & --truststore) mandatory to run SGadmin ?

Not always. Look at sgadmin examples. Also, the sgadmin troubleshooting doc can be useful.

It means that the certificate you use can’t be validated against the root or an intermediate certificate. Something wrong in your certificate chain. Check your certificates using tips from the Troubleshooting TLS doc.

  1. Can we run sgadmin without passing any certificates at all? (i.e. no pem, jks, or *crt) Something like - “./sgadmin.sh -cd /path/to/sgconfig/ -nhnv -icl” ?

  2. We want to run ELK+searchguard with istio. We have disabled tls on the http(rest) layer in searchguard, but as we know, on the transport layer, tls cannot be disabled.
    Now, we want to re-use the Istio’s certificate as the node certificate for searchguard’s transport layer. Can we re-use the same certificate as admin certificate too and run sgadmin using this ?

No, we can’t. It would be insecure. You need either JKS or PEM. Look at the sgadmin code, here are the validation checks

The sgadmin accepts only the following certificate extensions: PEM and JSK.

Above, I meant you could re-use a certificate from Istio if it has PEM extension. But you need two certificates to run SearchGuard: node and admin.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.